apple-data 0.1.0

data/share/resources.yaml

@@ -0,0 +1,199 @@
+---
+- url: https://github.com/alephsecurity/xnu-qemu-arm64/wiki/Build-iOS-on-QEMU
+  title: Run iOS on QEMU
+  type: article
+- url: https://github.com/onethawt/idaplugins-list
+  title: onethawt's list of IDA plugins
+  type: article
+- url: https://github.com/AllsafeCyberSecurity/awesome-ghidra
+  title: Awesome Ghirda Plugins
+  type: article
+- url: https://blog.t8012.dev/ace-part-1/
+  title: USB-C Port Controller (ACE) Secrets
+  type: article
+- url: http://ramtin-amin.fr/#tristar
+  title: Ramtin Amin's Tristar Reverse Engineering
+  type: article
+- url: https://nyansatan.github.io/lightning/
+  title: Nyan Satin's Lightning Reverse Engineering
+  type: article
+- url: Ramtin Amin's NVMe PCIe Reverse Engineering
+  title: http://ramtin-amin.fr/#nvmepcie
+  type: article
+- url: http://ramtin-amin.fr/#nvmedma
+  title: Ramtin Amin's NVMe DMA Reverse Engineering
+  type: article
+- url: https://github.com/hack-different/mootool
+  type: repo
+  name: mootool
+  description: FOSS Ruby Mach-O Tool (aims to replicate jtool2 feature set)
+  categories:
+    - tool
+    - re
+    - ruby
+- url: https://github.com/cxnder/ktool
+  type: repo
+  name: ktool
+  description: FOSS Python Mach-O Tool
+  categories:
+    - tool
+    - re
+    - python
+- url: https://github.com/checkra1n/toolchain
+  type: repo
+  name: checkra1n-toolchain
+  description: Toolchain used to compile checkra1n and pongoOS
+  categories:
+    - toolchain
+    - c
+- url: https://github.com/alephsecurity/xnu-qemu-arm64
+  type: repo
+  name: alephsecurity/xnu-qemu-arm64
+  description: QEMU branch for emulating iOS / XNU on arm64
+  categories:
+    - emulation
+    - c
+    - xnu
+- url: https://github.com/alephsecurity/xnu-qemu-arm64-tools
+  type: repo
+  name: alephsecurity/xnu-qemu-arm64-tools
+  description: Tooling to prepare an image for QEMU
+  categories:
+    - tool
+    - emulation
+- url: https://github.com/cellebrite-srl/ida_kernelcache
+  type: repo
+  name: cellebrite-srl/ida_kernelcache
+  description: IDA plugin for XNU kernelcaches
+  categories:
+    - ida_plugin
+    - disassembly
+    - re
+- url: https://github.com/cellebrite-srl/PacXplorer
+  type: repo
+  name: cellebrite-srl/PacExplorer
+  description: IDA plugin for pointer authentication
+  categories:
+    - ida_plugin
+    - disassembly
+    - re
+- url: https://github.com/cellebrite-srl/FunctionInliner
+  type: repo
+  name: cellebrite-srl/FunctionInliner
+  description: IDA plugin for function inlining
+  categories:
+    - ida_plugin
+    - disassembly
+    - re
+- url: https://github.com/0x36/ghidra_kernelcache
+  type: repo
+  name: 0x36/ghidra_kernelcache
+  description: Ghidra plugin for XNU kernel caches
+  categories:
+    - ghidra_plugin
+    - disassembly
+    - re
+- url: https://github.com/blacktop/ipsw
+  type: repo
+  name: blacktop/ipsw
+  description: Swiss army knife for IPSWs
+  categories:
+    - tool
+- url: https://github.com/checkra1n/pongoOS
+  type: repo
+  name: pongoOS
+- url: https://github.com/t8012/demuxusb
+  type: repo
+  name: DeMuxUSB - USBMuxD disector
+- url: https://github.com/libimobiledevice/usbmuxd
+  type: repo
+  name: open source usbmuxd implementation from libimobiledevice
+- url: https://github.com/libimobiledevice/libimobiledevice
+  type: repo
+  name: libimobiledevice
+- url: https://github.com/libimobiledevice/libirecovery
+  type: repo
+  name: libirecovery - low level iBoot / DFU handler
+- url: https://github.com/libimobiledevice/idevicerestore
+  type: repo
+  name: idevicerestore - open source Apple device restore tool
+- url: https://github.com/rickmark/apple_utdm
+  type: repo
+  name: UTDM - USB Target Disk Mode
+- url: https://github.com/rickmark/macvdmtool
+  type: repo
+  name: MacVDMTool and Library - USB-PD Vendor Defined Messsages
+- url: https://github.com/gh2o/rvi_capture
+  type: repo
+  name: Apple Remote Virtaul Interface
+- url: https://github.com/osy/ThunderboltPatcher
+  type: repo
+  name: Thunderbolt Patcher by osy
+- url: https://github.com/rickmark/awdd_decode
+  type: repo
+  name: Apple Wireless Diagnostics logging decode
+- url: https://github.com/mikebrady/shairport-sync
+  type: repo
+  name: Shareport - AirPlay2 implementation
+- url: https://github.com/rickmark/libibackup
+  type: repo
+  name: open source iOS backup library
+- url: https://github.com/iineva/bom
+  type: repo
+  name: BOM - Bill of Materials by NeXT / Apple
+- url: https://github.com/libimobiledevice/libplist
+  type: repo
+  name: Open source plist implementation
+- url: https://github.com/josephw/titl
+  type: repo
+  name: Open Source iTunes Library Parser
+- url: https://github.com/sbingner/ldid
+  type: repo
+  name: SBinger's fork of the ldid link editor
+- url: https://github.com/t8012/efivalidate
+  type: repo
+  name: T1 and prior EFI firmware verification
+- url: https://github.com/hekapooios/hekapooios.github.io
+  type: repo
+  name: List of all SecureROM / SEPROMs
+- url: https://github.com/seemoo-lab/openwifipass
+  type: repo
+  name: Apple WiFi Password Sharing Implementation
+- url: https://github.com/t8012/smcutil
+  type: repo
+  name: Create SMC binaries from update payloads
+- url: https://github.com/acidanthera/VirtualSMC
+  type: repo
+  name: Virtual SMC implementation for Clover
+- name: IDA - The Intellegent Disassembler
+  type: tool
+  url: https://hex-rays.com/ida-pro/
+- name: VisUAL ARM Simulator
+  type: tool
+  url: https://salmanarif.bitbucket.io/visual/index.html
+- name: Ghidra Disassembler
+  type: tool
+  url: https://ghidra-sre.org
+  open_source: true
+- name: Hopper Disassembler
+  type: tool
+  url: https://www.hopperapp.com
+- name: jtool2 by Levin
+  type: tool
+  url: https://www.newosxbook.com/tools/jtool.html
+- name: Frida - Dynamic instrumentation toolkit for developers
+  url: https://frida.re/
+  type: tool
+  open_source: true
+- name: libimobiledevice - open source Apple / iTunes implementation
+  type: tool
+  url: https://libimobiledevice.org
+- url: https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KernelProgramming
+  type: article
+  title: Apple - Kernel Programming Guide
+- url: https://developer.apple.com/library/content/documentation/DeviceDrivers/Conceptual/IOKitFundamentals
+  type: article
+  title: Apple - IOKit Fundamentals
+- url: https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/AboutMemory.html
+  type: article
+  title: Apple - Virtual Memory System

data/share/sep.yaml

@@ -0,0 +1,210 @@
+---
+services:
+- service: SEPD # Incorrect: fixed at ID 0, sepd is a play on launchd
+  fixed_endpoint: 0
+  xnu_name: AppleSEPControl
+  xnu_kext: AppleSEPManager
+  opcodes:
+  - id: 0
+    const: kOpCode_NOP
+    description: No operation
+  - id: 2
+    const: kOpCode_SET_OOL_IN_ADDR
+    description: set the address of a block of AP memory to be transfered to the SEP for the next request
+  - id: 3
+    const: kOpCode_SET_OOL_OUT_ADDR
+    description: set the address of a block of AP memory to be used to return the result of a given SEP response
+  - id: 4
+    const: kOpCode_SET_OOL_IN_SIZE
+    description: set the size of the memory block to be transfered to the endpoint as a parameter
+  - id: 5
+    const: kOpCode_SET_OOL_OUT_SIZE
+    description: set the size of the memory block allocated to the be written to as a response to a SEP request
+  - id: 10
+    const: kOpCode_TTYIN
+  - id: 12
+    const: kOpCode_Sleep
+    description: put the SEP into low power and wait for an external IRQ
+  - id: 19
+    name: kOpCode_Nap
+    description: put the SEP into low power and wake after a timeout
+  - id: 0x14
+    const: kOpCode_SECMODE_REQUEST
+    description: get the current effective security mode of the SEP
+  - id: 0x18
+    const: kOpCode_SELFTEST
+    description: perform diagnostics and internal consistancy checks on the the SEP
+  - id: 0x25
+    name: kOpCode_ERASE_INSTALL
+    description: Queue the system for a wipe and install of IPSW
+  - id: 0x26
+    const: kOpCode_L4_PANIC
+    description: Panic the L4 microkernel
+  - id: 0x27
+    const: kOpCode_SEPOSPANIC
+    description: Panic the SEPOS
+- service: slog # Incorrect: notknown - Sep logging service
+  description: SEP logging service
+  xnu_name: AppleSEPLogger
+  xnu_kext: AppleSEPManager
+- service: arts # Incorrect: ART storage
+  description: Anti-replay Token Storage
+  xnu_name: AppleSEPARTStorage
+  xnu_kext: AppleSEPManager
+- service: artr # Incorrect: not known - SEP anti-replay storage
+  description: Anti-replay token request
+  xnu_name:
+- service: sepS
+  description: SEP services endpoint
+- service: sbio
+  description: Secure Biometic Services
+- service: skgs
+  description: Secure Key Generation Service
+- service: xarm
+  description: xART
+- service: xars
+  description: xART
+- service: cntl
+  description:
+- service: sidv
+  description:
+- service: test
+  description: Test Service
+- service: sars
+  description: Secure Anti-Replay Service
+- service: enti
+  description: Entitlement Service
+- service: debg # Incorrect: not known
+  description: Debug
+  xnu_name: AppleSEPDebug
+  xnu_kext: AppleSEPManager
+- service: sks\0
+  description: Secure Key Storage (AppleKeyStore)
+  xnu_name: AppleSEPKeyStore
+  xnu_kext: AppleSEPKeyStore
+- service: sse\0
+  description: Proxy access to the SE (secure element)
+  xnu_kext: AppleSSE
+- service: scrd
+  description: Secure Credential Manager (AppleCredentialStore)
+  xnu_kext: AppleCredentialManager
+- service: lpol # Incorrect: unknown
+  name: boot_policy # Incorrect: not known yet
+  description: Manage Apple Silicon macOS boot policy
+  opcodes:
+  - id: 2
+    name: begin_update_policy
+    description: Begin a boot policy update operation
+  - id: 3
+    name: end_update_policy
+- service: disc # Incorrect - not known
+  fixed_endpoint: 253
+  name: discovery # Incorrect: not 4CC
+  description: >-
+      First advertise, then expose
+
+      `id` is endpoint number
+      `name` is `'scrd'` or `'sks\0'` for example. (4 char code)
+
+      struct app_info
+      {
+        uint64_t physical_addr;
+        uint32_t virtual_base;
+        uint32_t size;
+        uint32_t entry;
+        uint8_t name[12];
+        uint8_t hash[16];
+      }
+  opcodes:
+  - id: 0
+    name: advertise
+    request_struct: |
+      // Credit: ntrung03
+      struct ep_advertise_data {
+        uint8_t id; /* param */
+        uint32_t name; /* data, Apple 4CC for the applet name */
+      };
+  - id: 1
+    name: expose
+    request_struct: |
+      // Credit: ntrung03
+      struct ep_expose_data {
+        uint8_t id; /* param */
+        char ool_in_min_pages;
+        char ool_in_max_pages;
+        char ool_out_min_pages;
+        char ool_out_max_pages;
+      };
+- service: krnl # Incorrect: not known yet
+  fixed_endpoint: 254
+  name: L4info
+  opcodes:
+  - id: 0
+    name: L4_Ipc
+    desciption: Set up ipc between two threads
+  - id: 4
+    name: L4_ThreadSwitch
+    description: Yield execution to thread
+  - id: 8
+    name: L4_ThreadControl
+    description: Create or delete threads
+    privileged: true
+  - id: 0xC
+    name: L4_ExchangeRegisters
+    description: Exchange registers
+  - id: 0x10
+    name: L4_Schedule
+    description: Set thread scheduling information
+  - id: 0x14
+    name: L4_MapControl
+    description: Map or free virtual memory
+    privileged: true
+  - id: 0x18
+    name: L4_SpaceControl
+    description: Create a new address space
+    privileged: true
+  - id: 0x1C
+    name: L4_ProcessorControl
+    description: Sets processor attributes
+  - id: 0x20
+    name: L4_CacheControl
+    description: Cache flushing
+  - id: 0x24
+    name: L4_IpcControl
+    description: Adjust IPC access
+    privileged: true
+  - id: 0x28
+    name: L4_InterruptControl
+    description: Enable or disable an interrupt
+    privileged: true
+  - id: 0x2C
+    name: L4_GetTimebase
+    description: Gets the system time
+  - id: 0x30
+    name: L4_SetTimeout
+    description: Set timeout for IPC sessions
+  - id: 0x34
+    name: L4_SharedMappingControl
+    description: Set up a shared mapping
+    privileged: true
+  - id: 0x38
+    name: L4_SleepKernel
+    description: cause the SEP kernel to sleep until an external inturupt occurs
+  - id: 0x3C
+    name: L4_PowerControl
+  - id: 0x40
+    name: L4_KernelInterface
+    description: Get information about the running L4 kernel
+- service: sepr # Incorrect: not known yet
+  fixed_endpoint: 255
+  name: seprom # Incorrect: not 4CC - name not important as it is always at 255
+  opcodes:
+  - id: 01
+    name: ping
+    description: request a pong from the SEP
+  - id: 0x0F
+    name: panic
+    description: Common to all Apps, panic
+  - id: 10
+    name: random
+    description: get random bytes from the SEP